Facebook Messenger Locky Ransomware Attacks Reported

In the past few days, Facebook Messenger Locky ransomware attacks have been discovered, exploit activity has increased, and malicious spam email volume has increased. Organizations now need to defense against a wide range of attack vectors

2016 – The Year of Ransomware

2016 has seen an explosion in the use of ransomware by cybercriminals and there is no sign of that changing in the near future. More than 200 ransomware families have now been identified, one of the most dangerous being Locky.

Locky ransomware was first discovered in February this year, but it has fast become one of the most prolific ransomware variants and has infected thousands of computers. No organization is immune to attack, although the gang behind the infections have been extensively targeting healthcare organizations. A number of U.S. healthcare providers have been forced to pay a ransom demand to recover their data.

Rather than cybercriminals having to break through company defenses to gain access to data, then exfiltrate files, and sell those data on the black market – a process that can take weeks before payment is received – ransomware is a quick and easy revenue generator. Payments are made within a few days of infection as many companies cannot continue to function without access to their data.

It is not even necessary for cybercriminals to develop their own ransomware. The malicious file-encrypting software can be ‘hired’ from the authors. By using ransomware-as-a-service, anyone with an Internet connection could run a ransomware campaign. Little skill is needed and attacks result in fast payment. It is therefore no surprise that the file-encrypting software has become so popular.

Infection can occur via malicious adverts, exploit kits, or via spam email. All of those infection vectors allow the attackers to bypass traditional cybersecurity defenses such as firewalls.

Some headway has been made by security researchers and decryptors have been developed for some ransomware variants. Wildfire, Chimera, Shade, TeslaCrypt, and CoinVault have all been cracked. However, Locky has so far resisted security researchers’ efforts to crack it.

The authors of the crypto-ransomware are also constantly updating Locky and new variants are regularly being released. At present, there is no decryptor available for Locky infections and victims are faced with three choices if they experience an infection:

Accept data loss

Pay the ransom demand to obtain a key to unlock data

Recover encrypted files from backups

Unfortunately for the victims, recovering encrypted files from backups can be complicated. Locky not only locks files with powerful encryption, the files names and file extensions are also changed. This makes it hard for victims to identify specific files. Locky also deletes Windows Shadow Copies to make it harder for victims to recover their data.

Facebook Messenger Locky Ransomware Attacks Reported

The authors behind Locky have experimented with exploit kits to spread infections, although since the demise of the Angler and Neutrino exploit kits, Locky has primarily been distributed via spam email. Massive spam email campaigns are used to spread the malicious software. Those campaigns involve many millions of emails.

However, earlier this month, security researchers noticed that the cybercriminal gang behind Locky has started to use exploit kits again. The Bizarro Sundown exploit kit has been discovered to be spreading Locky. More worrying, Facebook Messenger Locky ransomware attacks have now been reported.

The Facebook Messenger Locky ransomware attacks were noticed by security researcher Bart Blaze earlier this month. Malicious messages are being sent to Facebook Messenger users which contain an .SVG image file. That image file is not what it seems. It contains the Nemucod downloader – malicious JavaScript code embedded in the image. The code is run when the image file is opened and Nemucod then downloads Locky.

The social media giant has confirmed that Facebook Messenger Locky ransomware attacks have occurred, although Facebook was quick to point out that infections are occurring via “a poorly implemented extension for Google’s Chrome browser.”

Security controls are generally very good at Facebook, but they are not infallible. Facebook Messenger Locky ransomware attacks are a major risk and users must exercise caution.

As with spam email, users should not open any attachments from individuals they do not know. Even when image files and other file types are received via messenger apps and spam email from individuals that are known to the recipient, they should be treated with suspicion.

How to Reduce the Risk of a Ransomware Infection

Businesses need to implement defenses to reduce the risk of a ransomware infection. The consequences for taking no action can be severe.

Ransomware infections can spread laterally through a network and ransomware gangs require payment for each infected machine and can even set the price per infected organization. The Locky ransomware attack on Hollywood Presbyterian Medical Center in February resulted in a ransom payment of $17,000 being made, in addition to the considerable cost associated with removing the infection and recovering from more than a week without access to key information systems.

One of the best defenses against ransomware is WebTitan. WebTitan is an innovative web filtering solution that can be configured to limit access to websites known to host exploit kits. Malicious third-party adverts (malvertising) can be blocked, along with websites that carry a high risk of being exploited by hackers to spread infections.

The best way for businesses to ensure that Facebook Messenger Locky ransomware attacks do not occur is to block Facebook Messenger entirely. With WebTitan, blocking Facebook Messenger – without blocking the Facebook website- is a quick and easy task.

By limiting the websites that can be visited by employees and blocking Facebook Messenger and other chat platforms, organizations can greatly improve their security posture and prevent ransomware from being installed.

For further information on the full range of features of WebTitan, details of pricing, and how to register for a free no-obligation trial, contact the TitanHQ sales team today.